forum.coppermine-gallery.net

Support => cpg1.3.x Support => Older/other versions => cpg1.3 Miscellaneous => Topic started by: PhilCowans on December 21, 2004, 11:10:44 am

Title: Security issue with coppermine
Post by: PhilCowans on December 21, 2004, 11:10:44 am
Files in the include subdirectory are installed with world writeable permissions. This is a serious vulnerability on multi-user systems, and has already caused problems on our server.

Phil
Title: Re: Security issue with coppermine
Post by: Casper on December 21, 2004, 11:36:54 am
The include directory needs to be writable during the install, but after that it is not needed, so you can change the permissions.

We have had no reports of problems with security due to this before.  What issues have you had?
Title: Re: Security issue with coppermine
Post by: PhilCowans on December 21, 2004, 11:54:37 am
That's not a solution - you cannot assume that users will change the permissions.

The problems were not directly related to coppermine - having obtained one account, the attacker used the world writable files to modify the website of another user.
Title: Re: Security issue with coppermine
Post by: Tarique Sani on December 21, 2004, 01:15:15 pm
@PhilCowans - yes you are right - the permissions for all the files in the zip are unduly permissive this usually is not a problem as most users ftp single file at a time rather than uploading the zip and unzipping it on the server.  What we really need is a gizpped tarball so that the permissions are retained as intended -  Will have it fixed ASAP - Thanks
Title: Re: Security issue with coppermine
Post by: raummusik on December 22, 2004, 01:49:44 am
yo fine.. cause of the permission writable in /include its now the worm which destroys our gallerys.. look here :


http://forum.coppermine-gallery.net/index.php?topic=12803.0

damn it . ;)
Title: Re: Security issue with coppermine
Post by: CapriSkye on December 22, 2004, 03:35:20 am
i thought writable permission isn't a security hole  :-\\

http://www.simplemachines.org/community/index.php?topic=2987.0
Title: Re: Security issue with coppermine
Post by: Tarique Sani on December 22, 2004, 04:44:18 am
yo fine.. cause of the permission writable in /include its now the worm which destroys our gallerys.. look here :
http://forum.coppermine-gallery.net/index.php?topic=12803.0

This worm is not exploiting the READ/WRITE issue - it is probably exploiting the serialise / unserialise bug in PHP version 4.3.9 and earlier - the correct solution to the problem is to have your host upgrade to PHP 4.3.10

As far as permissions in unzipped files go - that is the character of Zip files which by design DO NOT store permissions - thus if you unzip a zip file on your server its files (usually depending on the server config) will have permission 666 and the directories will have permission 777.

This will not be a problem if you unzip the file locally and upload it via FTP as most FTP clients will give sensible permissions.

Like I said earlier, however if there is to be something which can be uploaded on to the server as a single package and unzipped (untarred) then it has to be a gzipped/b2zipped tarball as tar files can retain original permissions

So the bottom line is

#1 Upgrade to PHP 4.3.10
#2 DO NOT use unzip on server blindly - either use an ftp client OR set permissions properly after unzipping
Title: Re: Security issue with coppermine
Post by: Tarique Sani on December 22, 2004, 06:31:16 am
More info

http://it.slashdot.org/article.pl?sid=04/12/21/2135235&from=rss
http://marc.theaimsgroup.com/?l=bugtraq&m=110365752909029&w=2
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513